Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 38 replies
  • Subscribers 13 subscribers
  • Views 100110 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.4 Endpoint Web Protection is NOT working

RickDunsirn

I've noticed that after a clean install of 9.4, Endpoint Web Protection logs are not populating on my UTM and my endpoints (Windows 10) appear to be able to surf anywhere without any protection.  The Sophos Agent shows Web Control enabled, but it is not blocking sites that it's supposed to.  I'll reiterate, I have cleanly installed 9.400-9 and have refreshed from scratch the Endpoint Protection and I'm still seeing the issue (this was not an upgrade...after the upgrade, this failed as well, so I did everything from scratch and still see the issue).  My endpoints are showing up just fine under Endpoint Protection on the gateway and the antivirus appears to be working, just not the web protection.  Here is a sample of the Endpoint Protection Logs:

2016:03:25-10:11:27 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:11:27 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:13:15 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:13:15 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:15:03 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:15:03 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:17:46 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:17:46 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:19:04 rickshome epsecd[10796]: I main::_log:435() =>  severity="info" sys="System" sub="eplog" name="curl_base_url: e53611b9-7d74-339e-b3f2-4e2addb92ca2-wdx-7d74.broker.sophos.com/.../"
2016:03:25-10:19:34 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:19:34 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:19:35 rickshome epsecd[10282]: I id="4233" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Changeset"
2016:03:25-10:19:38 rickshome epsecd[10282]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2016:03:25-10:22:21 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:22:21 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"
2016:03:25-10:23:16 rickshome epsecd[10282]: I id="4233" severity="info" sys="System" sub="epsecd" name="Sending data to Sophos LiveConnect to sync UTM Web Policy Changeset"
2016:03:25-10:23:19 rickshome epsecd[10282]: I id="4213" severity="info" sys="System" sub="epsecd" name="User triggered changes in webadmin"
2016:03:25-10:24:12 rickshome epsecd[10282]: I id="4211" severity="info" sys="System" sub="epsecd" name="Received report(s) from Sophos LiveConnect"
2016:03:25-10:24:12 rickshome epsecd[10282]: I id="4212" severity="info" sys="System" sub="epsecd" name="Acknowledging report(s)" reports="-1"

I do see the reports coming in, but I'm a little bit concerned on the "-1" for acknowledgement.

Any ideas on what I can do next?  If you need more information, please let me know!


This thread was automatically locked due to age.
  • 0

    You mentioned Windows 10 clients are having the issue... Do you have any older versions of Windows and are they behaving properly?

    Also, did you have any issues prior to moving to 9.4? It's hard to tell if this related to Win10 or UTM 9.4.

  • 0 in reply to Dlabun

    This very well could be.  I do know it worked on Windows 10 at one time (have several clients on Windows 10 and it worked fine on multiple versions of 9.3 from September, 2015 -- February, 2016)...but stopped working back in February on version 9.355.  I am doing more testing and have found the following:

    1.)  I have one Windows 10 box that was working and I have never "uninstalled" the client agent.  I have installed OVER the client agent when I installed the new 9.4 from scratch.  The directory structure on that box under C:\ProgramData\Sophos\Web Control\Policy shows that there is a policy there (there are files in that directory), but it doesn't appear to be updating when I make changes to the web content filter.   No Web Control logs are getting to Sophos, however.

    2.)  I have another Windows 10 box that is brand new.  I installed the 9.4 client agent on that box from scratch.  The directory structure under C:\ProgramData\Sophos\Web Control\Policy shows nothing.  It's almost like the policy can't get into the directory or it isn't updating for some reason?

    I will try to spin up a Windows 7 box and see if I have the same issues.  I do know the Sophos Endpoint Cloud works fine on Windows 10 (tried and installed this and it worked just great), just not the endpoint web control service using the UTM.

    Another thing I have found... I just downgraded my UTM to 9.351 and I still am experiencing the same issues!  Either something changed in Windows 10 that is blocking endpoint web control policy changes or something changed on the Sophos server side and how it communicates with the agent.

    I'll continue to research!

  • 0 in reply to RickDunsirn
    Windows 10 did break most security programs so I wouldn't be surprised if it was the culprit. If you have the interest the latest Windows 10 beta does contain fixes related to antivirus programs.
  • 0 in reply to Dlabun

    Just another tidbit of information.  I did install the Sophos Cloud-based Home Security agent on one of my Windows 10 boxes and it appears to be working just fine.  The directory structure is pretty much the same as the Sophos UTM Endpoint Agent (C:\ProgramData\Sophos\Web Control\Policy) and it is fully populated with policy files.  If it is using a similar software engine as the UTM Endpoint Agent, Windows 10 doesn't seem to be an issue.

    I am spinning up a Windows 7 box right now to check to see if this works with the UTM Endpoint Web Protection.

  • 0 in reply to RickDunsirn

    Just loaded my Windows 7 box and installed the Sophos Endpoint Agent.  Same exact issue.  No files are populating under C:\ProgramData\Sophos\Web Control\Policy and Web Protection is not working.  Also am not seeing Web Protection logs on the UTM.  It appears this is something on Sophos' side (either with the agent, the UTM code or the Sophos Update site issue).  Please let me know if you need any more information to help debug this.  

  • 0 in reply to RickDunsirn

    It does appear to be an issue with either the Sophos client or the UTM firmware. This is a home license, correct?

  • 0 in reply to Dlabun

    That is correct...home license.

  • 0 in reply to RickDunsirn

    I will attempt to reproduce the issue on my test environment... If I get the same issue I can open a ticket to Sophos. 

    From poking around the forum it looks like other people started reporting this issue on 9.355... If you're willing, you could install 9.354 and see if works correctly. That will at least indicate if it's a UTM firmware issue.

  • 0 in reply to Dlabun

    Thanks much for trying to reproduce the issue in your environment.  If you need my backup file, I'd be willing to send that to you as well.

    I noticed this issue in 9.355 as well.  I actually did move back to 9.351 this past weekend and still had the same issues, which is odd.  It's almost like the cloud based service changed in some way that broke endpoint web protection altogether.  Endpoints running web protection previous to this issue still work just fine because the policy file is still populated (it doesn't get touched).  In fact, I still have a PC today that still blocks websites in my ruleset because it has the policy list still in the directory space (and my ruleset hasn't changed).  If I were to completely remove the Sophos agent and re-install, the policy file never loads to the machine and all sites are allowed.  In other words, people may not notice this issue until they add new clients or go out looking for endpoint web protection logs.

  • 0 in reply to RickDunsirn

    I noticed it broken in some previous version (recent) of UTM as well.. .but I did not open a support case.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Unfiltered HTML